14 DAY TRIAL // After unmasking how the JSPatch hot-patching toolkit could be used to go around Apple's App Store review process and deliver malware to users, researchers from security firm FireEye have uncovered a similar tool capable of enabling the same type of attacks against iOS users.
This new tool, offered as a Web service via the Rollout.io website, allows developers to deliver quick patches to an iOS application by sending the necessary code to every device where the app is installed without having to push an update to the official App Store.
While Apple hasn't moved against these types of updates, the company doesn't recommend them either, mainly because they rely on tools that can be hijacked to deliver much more than just "updated functionality."
Rollout is an agent of good and evil at the same time
FireEye's team claims that Rollout.io, just like JSPatch, can be abused in different ways and taken over by malicious attackers who can push malicious functionality to apps that employ it.
The way Rollout.io works is simple. Developers first need to include the Rollout SDK in their apps, which is a trivial step. They then need to use the SDK to parse their apps and generate a dSYM (debug symbol) file, which they have to upload to the Rollout.io Web panel.
This allows the Rollout.io backend to reflect the app's structure inside its management panel, allowing the developer to use various types of techniques to write updates and push them to all apps with the press of a button.
But while this all sounds perfect for developers who discover severe bugs that need to be fixed right away in their apps, FireEye researchers have found that an app developer can use Rollout to add malicious features to his app at any time he wishes, without Apple's or the user's consent.
Rollout can be used to push malicious features to iOS apps
A rogue app developer could easily write code that uses local iOS APIs, or even load custom APIs via Rollout, and add data exfiltration capabilities to his application, mining devices for sensitive information and uploading it to his own servers.
The problem is not that users can deliver code with "malicious functionality," but the fact that this code can access features and APIs that Apple prohibits in its app review process.
FireEye says that they've discovered over 245 iOS apps currently deploying the Rollout.io SDK. While JSPatch was developed and deployed mainly by Chinese developers, Rollout's service was built by an Israeli firm, and most of the developers who use it are from western countries.
The security vendor has contacted Rollout's parent company, which has said it will prepare fixes for its service to prevent developers from accessing iOS private APIs and private frameworks from their platform.